Voiceprint, fingerprint or FIDO? Agile authentication is coming

Business agility is not a new concept but with the explosion of the digital economy we are getting to crunch time.

But it is not all up to the techies. The need for agile technology affects all of us every day.

Right now most of us log into various systems and services using usernames and passwords – a process known as authentication. This basically matches digital identity information stored by the organisation to a person or, in some cases, a service.

The authentication options available to us are rapidly changing. A username and password may not be enough to do a bank transfer, for example – we may be prompted for a 6-digit code sent via SMS. Or we may be able to log into our Internet banking on an iPhone by using our thumbprint alone, with no username and password required.

There are at least three good reasons for organisations to embrace new authentication methods:

1. For security. The issues associated with usernames and passwords are well known (and frequently exploited). Every authentication method has certain risks that make it more or less appropriate depending on the situation. If an authentication method fails it needs to be replaced – quickly. Just think how frustrating it is when the automatic teller sucks in your card because talking, texting and putting a four digit code in simultaneously can be tricky.

2. For convenience. You may be happy enough to log into a service using a username and password but what if the provider offered to authenticate you via voiceprint instead? That would be one less username and password to remember and you might only have to say ‘hello’ to get access. Ease of use and quality of customer experience are important differentiators between digital services, so convenience is also a competitive advantage.

3. To meet customer expectations. If you are the last organisation left in your sector that doesn’t offer two-factor authentication (e.g. SMS 6 digit code) for high value transactions, your customers will perceive your services as less secure. So service providers that embrace new authentication methods will be perceived as more innovative and secure.

But the process of embracing new authentication methods depends on the underlying security infrastructure. Unless your digital infrastructure has been built to accommodate changing authentication methods, it may be cumbersome and slow to implement them.

What we are seeing now with changing authentication methods is only the tip of the iceberg. Like everything else in the cyber security world, there is an arms race going on between the people who want to compromise systems and the people who want to protect them. As the risk profile of any given authentication method changes – generally for the worse – it will eventually become unsuitable for certain transactions. This has already happened to usernames and passwords when it comes to high value financial transactions.

As a result, new authentication methods are coming out continuously, and different authentication methods are supported by different devices. The iPhone supports Touch ID, a fingerprint identity sensor. Android phones on the other hand, can identify their owners by scanning an image of their face. Then there is the FIDO (Fast IDentity Online) Alliance, an organisation formed to address the lack of interoperability among authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. Its new standard allows website or cloud applications to read FIDO-enabled devices – such as smartcards – that the user has for online security.

As usernames and passwords give way to more secure authentication methods, to keep pace, organisations need to think about building the appropriate infrastructure.

If your organisation hasn’t evolved beyond usernames and passwords your technical people may resist new authentication methods rather than enable them. Usernames and passwords may be hardwired into back-end IT infrastructure and there may be some work required to change existing password dependencies. But this shouldn’t deter you, change is coming and your company could be left behind.

A term I heard recently was “lick to authenticate”. In other words, regardless of what authentication method you support now, you should be able to swap it out and replace it with whatever is trending or appropriate in the future.

As a security person, a pluggable authentication service is a great leap forward for security, as it speeds the adoption of stronger authentication – like biometrics. Special thanks to Apple and Google for making authentication cool.